The s6-connlimit program

s6-connlimit is a small utility to perform IP-based
control on the number of client connections to a TCP socket, and
uid-based control on the number of client connections to a Unix
domain socket.

Interface

s6-connlimit prog...

s6-connlimit reads its environment for the PROTO
environment variable, and then for ${PROTO}CONNNUM and ${PROTO}CONNMAX,
which must contain integers.

If the value of ${PROTO}CONNNUM is superior or equal to the value
of ${PROTO}CONNMAX, s6-connlimit exits 1 with an error message.

Else it execs into prog....

If ${PROTO}CONNMAX is unset, s6-connlimit directly execs into
prog... without performing any check:
no maximum number of connections has been defined.

Usage

The s6-tcpserver4 and
s6-tcpserver6 define the PROTO environment
variable to "TCP", and spawn every child server with the TCPCONNNUM environment
variable set to the number of connections from the same IP address.
The s6-tcpserver-access program
can set environment variables depending on the client's IP address. If the
s6-tcpserver-access database is configured to set the TCPCONNMAX environment
variable for a given set of IP addresses, and s6-tcpserver-access execs into
s6-connlimit, then s6-connlimit will drop connections if there already are
${TCPCONNMAX} connections from the same client IP address.

Example

will run a server listening to IPv4 address 1.2.3.4, on port 80,
serving up to 1000 concurrent connections, and up to 40 concurrent
connections from the same IP address, no matter what the IP address.
For every client connection, it will look up the database set up
in dir; if the connection is accepted, it will run prog....

If the dir/ip4/5.6.7.8_32/env/TCPCONNMAX file
exists and contains the string 30, then at most 30 concurrent
connections from 5.6.7.8 will execute prog..., instead of the
default of 40.

Notes

The s6-connlimit utility was once part of the
s6-networking
suite, and is mostly useful with TCP connections, which is why the
examples here involve TCP. Nevertheless, it can be used with connections
across Unix domain sockets, and that is why it has been moved to the s6
package.